tv [untitled] February 8, 2012 11:30am-12:00pm EST
the fec's communication and has been informing recommendations for best practice for best practices for communication systems. how do you see this process contributing to improvements in cyber security or, said another way, what is fcc's role in the coordinated defense that we heard about? >> i'm really glad you said that because i've been sitting here trying to remember what it stood for. i had gotten all but two of the letters. we all said when you talk about cloud and mobile that we're moving to a world where the role of the service providers is going to be more information. and that's where fcc and ntia are the lead agencies. right now there are others, of course narks are involved. but fcc originally looked at this issue and they were afraid that if they took too active a
role, as i understand it, they might be seen as trying to regulate the internet. and they wanted to avoid that. so instead they have taken on an approach that works more on coordination with private sector experts, with developing venues for these private sector experts to get together and encouraging them to come up with a voluntary approach. and one of the things that i had said to fcc staff a while ago is, try the voluntary approach and if it works, great. if it doesn't work then well think about more mandatory measures. so far it looks like it's working. understand there are other measures. congress has other things they're doing. this is where these service providers and the regulators will be one of the key elements of cyber security in the future. >> anyone else? >> so they are in the position to serve in a key role in this education and awareness campaign that we talked about in
coordinating that at the national and in a sustained manner to help deliver messages to constituent stakeholders whether they're home users all of the way up to large enterprises working with the carriers and content providers to be able to help to deliver that message. i think there's a key role in that part of it and showing leadership about how we advise people on how to protect themselves. >> just one point. having worked with them over the past few months. they are set aggregate example. their house is in order from the cyber security perspective. leadership and really looking -- they're reaching out to private sector saying what are the best practices. they're reaching out to what they tell us to other cios in the government. talking about the need to get the government's house in order that is an exemplary piece. really looking at the pol sis and issues. we've never seen that before. so i think this is a good time for them to not only build on the awareness they want. i believe it was last spring with the sba, to the hygiene program point, but then jump on that for the larger enterprises also as an example.
>> well, mr. conner, and this is probably what you were referring to the sba, but your testimony notes that according to the fcc three out of every small and mid-size businesses report having been effected by cyber attacks. so what is the role of the fcc in preventing the attacks or aiding the small business community? i'm not familiar with the -- >> i think increasingly the networks underpin all those attacks. you've got the isps, the carriers themselves, and you've got the devices attaching to it. i think one of the areas that we must remember is it's not always outside where those attack vectors come from. and just like organized crime found its way inside organizations, i think increasingly we're going to have to look at that as an attack vector. and that should be something that the fcc takes into consideration, is they look at how to deal with it, in addition to the isp filtering and other
pieces they use. but one thing i would caution, i hear a lot of rhetoric around building separate networks and having lived in a world that i'm old enough that we had separate networks but only had clear people dealing with it. i think the reliability when things like 911 and tsumanis happen, the benefit of having multiple networks on the internet outweigh the needs of a protected isolated network because i don't believe in today's world that's a real answer. >> i don't have any other questions p-mr. chairman, i'll yield back the balance of my time. >> i thank the gentlelady for yielding. i believe ms. blackburn is next for questions. then i will go to mr. shempkis next. >> thank you, we do have two competing panels and i apologize for not hearing all the testimony. let me go to mr. lewis. you mentioned your written
testimony the importance of domain name system security, dns sec. can you describe the problem with the problem with domain name system and why dns sec is important? >> i did it again. it's -- i think what you've heard from us all is when the people -- the people who designed the internet designed it as a dod network and then they thought it would grow a little bit. they didn't worry about trust. they didn't worry about authentication. phyllis knew it was her sister on the other end, right? when we did it, we didn't have to worry about this. and so the domain name system, addressing system, is vulnerable to spoofing. it can be manipulated. as you've heard, you can redirect traffic. you any, as far as you can tell on your machine, you're going to a legitimate site and it could instead be the government of iran or russian cyber criminal. you can spoof it.
and dns sec uses authentication technologies largely so that we reduce that about really almost eliminate it to impersonate another site. >> you know, i think, the challenge with this committee is it's so high tech, so you know, we're lay people for the most part. it's very tough for lay people to understand. that's why we have experts like you come. a lot of us do understand domain, just the basics, why you have a domain. now i can exploding domain names. and with that -- this is one for the whole panel. should we be working with i can to allow dns sec? >> i think everybody's already working that. i would tell you beware of new fangled toys. dns sec has a promise but it also has liabilities today that are equal to the liabilities we have today. will it be there in five to ten years? i hope sooner. this is not there.
not even close. i think we've got to use the capabilities that we have like evssl or where the chrome turns green and you know you're safe. when someone says your identity is who it is, it is. and i think that's where the focus instead of buying $19 authentication technology from where sec sales to take a responsible liability for your identity and who that is and if it costs you 500, i think that's where a bully pulpit starts to make a difference in technology. >> mr. dix, anybody else want to respond, pretty much? >> that's fine. i want to go to -- also deal with a democracy movement in the former captive nation. whatever you want to call them, who follow the cyber techs. use years ago, the meddling by china and russian, their neighbors. although the new technological
agents are allowing the movement to get their word out and communicate and that keeps evolving, but you also see governments like governor belarus try to clamp down on that at which i've also been very concerned about. that's just a statement. it's just an evolving -- it's like a competitive market. when people want to get information but the bad guys want to get around and it moves too fast and we can really regulate. i've always said that about this subcommittee and the tech community. there's going to be a lot of self interests that gets you people to move before they get caught. let me talk -- segue real quickly. i serve on the energy committee and go to power plants all the time. big proponent of nuclear power. and mr. terry's opening statement talked about, well,
you could be secure if you just had a desktop alone and were no longer connected. now, with wi-fi and stuff, who knows what folks could end up doing. but the power utility system relies so much on data going to rtos, really what they're proposing is excitable electrons to get on the grid. if that's all we had to worry about and had a close system we would be fairly safe. it's all the monitoring and calculation of the load. what's the solution to the utility industry? anyone have -- >> two thoughts. one is, i testified earlier that's why i believe you have to start with doa as a lead. electrical is very different than nuclear at the source. we believe you've got to start within the power production plan itself. we're working with large manufacturers in terms of how do
you authenticate everyone within that power production plant because you want to know what parts, whether the original ones or alternate parts coming in, who they are and where they're from. frankly, that doesn't matter whether they've come from good or bad sources. just know where they come from and they are there. the second thing we then focus on is who are accessing those systems in sharing that information. so only the people with the right authorization or identity can see it. the third thing we're working with them is how that data is shared because data of its on at one location will not solve a grid by definition. >> two other quick points. the idea of a secure network, stand alone secure network doesn't make any sense. people bring their iphone to work and they plug it in to charge. we have seen that happen twice with allegedly isolated air gap network, so forget it. we need to think about securing
the industrial control systems, networks. this is an avenue of attack. it's a different kind of network technology. right now it's not produced -- it's the typical thing when you buy it, the password is password and the user name is admin. it doesn't take a lot of activity for foreign opponents to figure it out. people also need to look at how their critical infrastructure connects to the internet. when you talk to nuclear company, for example, they'll usually tell you we're not connected. when you do the actual survey, what you find is, you know, sure. so we need to have some way to bring the industry, some companies do great. others need help. we need to figure out how to do that. >> the good news is a lot of these industrial control systems are the same across the sectors. if you can get best practices and some incentives in one sector it will go across the grid in some cases. authentication is one vector, another is what gets executed.
it goes back to the instruction. is it malicious instruction from someone you don't want to that talks to something that controls physical infrastructure. make sure you have technology in those components that looks at whatever operating system is on that and only execute these things. this is simple on these. you only do one job in life. they're a component and it's not like they're a big server. you can lock down what they do. >> thank you. >> thank you. now go to ms. blackburn for five minutes. questions? >> thank you, mr. chairman. and thank you all for being here and for your patience with us. i want to say just a couple of things. i think it is so important that the industry lead on this. anything that we do as difference members have said today is going to be passe before the ink is dry on whatever it is that we do.
as we look at the security issues, i think that your guidance is there. another thing, we have spent some time in this committee and also in cmt, commerce, manufacturing and trade, looking at the issue of privacy and the data security issue, the preach notification issue, which is a component of what we have here. and quite frankly, i think that most people do not realize the vulnerability that exists they're in their home and the computer that is there. and believe you me, i hear about it a lot with my district in tennessee with all the songwriters and entertainers and the individuals that are logistics or financial services or health care, auto engineers and so the problems are compounding for this every day. as we look at the privacy issue
and my conversations with them. let me ask you about federal preemption. as we look at our standards on reach notification, data security, i wonder if you all have any thoughts on putting in federal preemption language and making certain that we are looking at one stand dard and the importance of that. >> if i could. >> yes. >> we're supportive of federal repreemptive notification requirement. i think we have 47 different ones now through mu-- if you're multi-state company it's very difficult. one of the things i've been hammering on throughout today and generally is that we have to understand that this is not a technical problem. it involves costs. if you can find a way to reduce costs, we can have good standards but we don't have to have multiple good standards. more compliance costs, preshrimp my indication, better adherence,
better security, better privacy and that lower costs. and i think that ability to cut through kind of the government's falling all over itself at the various levels is critical to get that going. so i'm very supportive of that. >> i would second that. i would tell you that the single largest legislation issue that has bought security from being in the stonehenge to today is probably california in 1936. it you have a carrot and a stick. if you try to protect yourself with encryption, you're safe. if you haven't, you're libel for class action suit. that was heard around the u.s. the problem is, as larry said, we've got too many state legislation with password that is password that needs to get dealt with. that is linked to cyber
security. the second piece i'll tell you is the regulation that puz passed by the fcc about disclosure is going to have just as profound impact. the problem is it's only public companies. and that disclosure is pretty nebulous in terms of being meaningful for you as a small businessperson in knoxville or nashville or memphis in terms of what that means to you. >> okay. thank you. i'll yield back. >> gentlelady yields back. now i think our final questioner is mr. bilbray from california. we welcome your comments. you're recognized for five minutes. >> thank you, mr. chair. mr. conner, do you believe that law enforcement has the tools they need to go after cyber criminals as described in your testimony? >> no, they do not. i've got to tell you, it's -- if you look at the attempts that are being made with dms to -- and within justice to have the criminal network geared up, i
think part of the problem is we looked eight in their one-time uses for critical events. unless you use it every day, that system is never going to be ready. we partnered with interpol to do just that. they have 6,000 agents worldwide. and their issue was -- because we certainly didn't have the money. interpol is treated like a country now under passport control. we were able to put their passport information so it has biometrics. unfortunately this country doesn't deal with that in its passport today. its first generation digital. the second thing it has -- and this is all on commercial chips. it has software to do logical access so that 6,000 agents, if they go after tsunami, they can go on any netnetwork, including internet cafe and get that information, whether it's mobile, et cetera, and last but not least, physical access to
every interpol office. all that technology resides on this little card that -- this is a real one. that those 6,000 agents choose around the world today as they follow crime, jurisdictions, that have three different standards, three different use cases that allows them to do their job. why is it important? because it's what he has to or she use every day. to the extent it's not something you use every day, it will not be useful at the time and need in some event. >> so basically you're saying cyber crime where we -- my mike is on. where a place in cyber crime where we were in the '30s with the bad guys running around with thompson machine guns and the cops carrying .38 revolvers. >> worse than that, we're isolated. we're isolated here in the u.s.,
as my colleague said, the most at risk and no ability to interwork with the capability with the good guys to defend that. >> interesting you bring that up because i think that most of us here will remember after 9/11, this issue of the technology, security, the biometrics, the high-tech stuff was one of the top priorities of the 9/11 commission. we pass the thing called real id bill and now everybody has found excuses to keep dragging it on and dragging it on. in fact, i think we're even giving grants to states for homeland security and states are refusing to implement the 9/11 and we haven't -- >> right. >> so we've given them money and they basically say we want to spend it on other things rather than the first priorities. you think we may want to revisit that whole situation rather than just ignoreing the fact that -- >> absolutely. i spoke the morning after bush addressed both the house and senate, that morning after i was with mr. bennett and other legislators that were leading this effort, and spoke at nato
after 9/11 on -- we've learned how to defend air, land, and sea. the next frontier is in those t years, we made a lot of progress but the bad guys have made more progress. and they can jump across jurisdiction with no legislative legal barrier. >> mr. chairman, i have to say that this is one thing that i think our committee always deferred over to homeland security. but here's a point where we may want to talk about both sides of the aisle should be able to cooperate on. we've got a consensus there. and, frankly, the bad guys in here, the obstructionists are on both sides of the aisle, too. so maybe this committee can take a look at how we can go back and revisit that and address that issue. and i appreciate the fact that you draw the line about i'm concerned and i'll as the doctor to jump in here. the two at the end brought up two interesting things. when we develop strategies how to address this, we don't want to create a box that gives people the litigate and private
sector. but we don't want to create a box that allows the bad guys to know how far they have to move outside to avoid it. i would solicit both comments. let's start with the doctor and then go back how can you elaborate again how that creating an arbitrary box may be utilized by the bad guys? >> i think it was said earlier and even by the ranking member, this issue is so vast. this is science. if you start saying you'll implement these five things, the adversary is always looking at how to get around that. they know the target and what they want. they spend many months and people on finding exactly the intellectual property they want. they find the person and the company. if we say we're going to seal up these gateways and these ways, these are the best practice wez must follow. when it's a regulation, that's where the money will go. and after that, the money won't go to anything new and
different. and, therefore, the adversary then always goes outside that. it's like the industrial control system, they say they're disconnected. true story after true story finds that little modem out the back so the person can watch the game while they do the monitoring. there is always a way out in science. and we want to do is instead incentivize. we're not insendivized to what is for the greater good. if you put that money and incentive towards innovation, we'll end up building stronger and better technology. as to the point earlier, many times the speed that legislation could even get through to do the protection. >> that's great question. i'm frankly less concerned about what we say we're doing, say anything you want by the time you say it. they've already figured that out. they're not waiting for us to legislate and regulate and figure out the next hole. i think the model is clear and it's in dod.
we still have strong army, air force, marines, coast card and they act on their own. they are highly integrated with their suppliers. there is what is publicly available. there is what you do in that that is public and not public. i think that's how cyber security has to be treated. there was 10%st money set aside to deal with cyber security. no army, air force department, they had to get their best and write us in on it. they had to share what is public is public and what's not public is equally and maybe more important. >> thank you, mr. chairman. mr. chairman, they refer to australia being a son of australian war bride. reminds me of a story of a notorious australian bushman that robber named ned kelly. in fact, the head of the rolling
stones played it. but ned kelly was notorious for putting so much armor on so that nobody could shoot him. his armor slowed him down so much that they shot him in the back where he wasn't armored. i think that may be very symbolic of the ned kelly syndrome that we put on so much armor thinking we're defending and we're creating an opportunity for the bad guys to get around. >> i thank all of our committee members for letting us have a little more free wheeling hearing. the value of the content we got from you all is unparalleled. and i think my colleague and i will be reaching out to each of you to say come back to us with what really would work. we got a lot of that today and our staff has that. we're going to move forward on this. i think there's an opportunity to look at device manufacturers, perhaps the phone side, the router side. there is an issue on the education side. and so we really appreciate what you're doing out there in this
fight and you're input to us so we can try to get it right and solve this problem. with that -- >> i would say bravo and thank you very much. every member really drew so much from your testimony and the answers to our questions have been most, most helpful. thank you. thank you, mr. chairman. >> thank you. and with that, the committee will stand adjourned.
caucuses on march 3rd. of course, super tuesday looms on the horizon with 11 states holding caucuses including alaska, idaho, north dakota, wyoming, and virginia. don't forget to go to our website at c-span.org slash campai campai campaign2012. again, that's c-span.org/campaign2012. >> my important points on who should run, we can't tell them. i think it is better if like a month before the election we announce who is running for president. because i mean the media's obsessive desire to know who is your leader, is it michael steel? is it rush limbaugh? glenn beck? is it sarah palin? they want us to tell us who the leader is so they can fixate on that person and destroy him or her. >> this year's conservative
political action conference begins thursday and c-span will cover their events through the weekend. watch past speakers online at the c-span video library. all archived and searchable at c-span.org/videolibrary. this discussion is part of the day long summit discussing innovative ways discussing problems and military voting. this was hosted by the overseas vote foundation.
this is going to be a discussion between and amongst those who have a common interest in facilitating parngs of our men and women in uniform and that most fundamental of american rights which is that right to vote. we live in a representative republic where the underlying premise of that republic is that through the process of elections that we choose leaders who represent our point of view. the voters will oversee the elections and make sure that everything is upheld. to the degree that the actions of these elected officials impact our lives and nowhere is the impact on someone's life more profound by a public official than those folks who are in our uniforms.